The bottom line: Fewer customers were affected, but passport data was compromised.

The hotel chain says Chinese hackers were behind the breach, and even with the revised figures, down to 383 million records as the upper limit, the breach is still the largest data loss in history, greater than the Equifax breach or any other recent data breaches.

The Marriott investigation has revealed a new vulnerability in hotel systems: What happens to passport data when a customer makes a reservation or checks into a hotel, usually abroad, and hands over a passport to the desk clerk. Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system. An additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read. It is unclear how many of those involved American passports, and how many come from other countries.

“There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott said in a statement.

Of particular concern for many is the hacking of sensitive passport data, among other identifying information.

The company announced that about 5.25 million unencrypted passport numbers were stolen in the hack, while another 20.3 million encrypted passport numbers were taken.

[…]

There were about 8.6 million encrypted credit card numbers stolen in the breach as well, Marriott said. It’s still investigating how many stolen payment card numbers were not encrypted.

Marriott is also promising to take new steps to protect passport information, which has led some to question why better security protocols weren’t already in place.

The New York Times continued:

Asked how Marriott was handling the information now that it has merged Starwood’s data into the Marriott reservations system — a merger that was just completed at the end of 2018 — Connie Kim, a company spokeswoman, said: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”

The State Department issued a statement last month telling passport holders not to panic, because the number alone would not enable someone to create a fake passport. Marriott has said it would pay for a new passport for anyone whose passport information, hacked from their systems, was found to be involved in a fraud. But that was something of a corporate sleight of hand, since it provided no coverage for guests who wanted a new passport simply because their data had been taken by foreign spies.

The company has avoided some tough questions due to the nature of the attack. Because the data probably was stolen by a state actor, the breach has yet to lead to fraudulent transactions.

The New York Times continued:

So far the company has ducked addressing that issue by saying it has no evidence about who the attackers were, and the United States has not formally accused China in the case. But private cyberintelligence groups that have looked at the breach have seen strong parallels with the other, Chinese-related attacks underway at the time. The company’s president and chief executive, Arne Sorenson, has not answered questions about the hacking in public, and Marriott said he was traveling and declined a request from The Times to talk about hacking.

The company also said that about 8.6 million credit and debit cards were “involved” in the incident, but those are all encrypted — and all but 354,000 cards had expired by September 2018, when the hacking, which went on for years, was discovered.

So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. But to cyberattack investigators, that is just another sign that the hacking was conducted by intelligence agencies, not criminals.

On social media, many have voiced concern about the purloined passport data:

In the case of China, it would allow that country’s security ministry to add to databases of aggregated information on valued individuals. Those data points include information on people’s health, finances and travel.

“You can identify things in their past that maybe they don’t want known, points of weakness, blackmail, that type of thing,” said Priscilla Moriuchi, an analyst with Recorded Future who specialized in East Asia at the U.S. National Security Agency where she spent 12 years. She left the agency in 2017.